[ovs-dev] [PATCH] FAQ: Document the necessity of ct(alg=ftp).
Joe Stringer
joe at ovn.org
Mon Dec 12 19:16:50 UTC 2016
Automatic helper assignment was disabled in Linux 4.7 or later, in
upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable
automatic helper assignment").
Signed-off-by: Joe Stringer <joe at ovn.org>
---
Documentation/faq/openflow.rst | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst
index d31bbef96c81..632f8e7190da 100644
--- a/Documentation/faq/openflow.rst
+++ b/Documentation/faq/openflow.rst
@@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, can you improve it?
- At least some of the features described in T. A. Hoff, "Extending Open
vSwitch to Facilitate Creation of Stateful SDN Applications".
+Q: When using the "ct" action with FTP connections, it doesn't seem to matter
+if I set the "alg=ftp" parameter in the action. Is this required?
+
+ A: Before Linux 4.7, automatic helper assignment was enabled by default.
+ This means is that even if you do not specify ALGs, the traffic will be put
+ through that ALG. In such cases, it is possible to construct OpenFlow
+ tables using conntrack actions that are missing the FTP option, and the
+ conntrack action will still track that FTP connection and correlate its
+ sessions. When using kernels 4.7 or higher, or if the "nf_conntrack_helper"
+ sysctl is disabled, you should always specify the alg option for FTP
+ control connections.
+
+ For more context, see the blog post from the netfilter team:
+ http://www.netfilter.org/news.html#2012-04-03
--
2.10.2
More information about the dev
mailing list